Privacy Policy

1.1 Scope and Application

AssetLab CMMS Software Inc. ("AssetLab," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our asset management platform and services (the "Service").

This Privacy Policy applies to all users of AssetLab, including visitors to our website (assetlab.ca), registered users of the Service, and individuals whose information is processed through the Service. This Policy should be read in conjunction with our Terms of Service, which govern your use of the Service.

1.2 Data Controller and Data Processor Roles

For purposes of applicable data protection laws:

• AssetLab as Data Controller: For information we collect directly from you (account information, billing data, website usage), AssetLab acts as the "Data Controller" or "Business," determining the purposes and means of processing.
• AssetLab as Data Processor: For Customer Data you upload to the Service, AssetLab acts as a "Data Processor" or "Service Provider," processing personal information solely on your behalf and according to your instructions. In this role, you (our customer) are the Data Controller responsible for obtaining necessary consents and ensuring lawful processing.

This dual-role structure is further detailed in our Terms of Service (Section 8: Data Protection, Privacy, and Processing).

1.3 Consent and Acceptance

By accessing or using the Service, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with our policies and practices, you must not access or use the Service.

Where we require your consent for specific processing activities (e.g., marketing communications, optional cookies), we will seek your explicit opt-in consent at the time of collection.

2.1 Personal Information

Personal information is data that can be used to identify you. We collect the following types of personal information:

• Account Information: Name, email address, phone number, job title, organization name
• Authentication Data: Email address for OTP (one-time password) authentication via Clerk
• Billing Information: Payment method details (processed securely by third-party payment processors)
• Profile Information: User preferences, settings, and profile customization
• Communication Data: Information you provide when contacting our support team or communicating with us

2.2 Customer Data

Customer Data is information you input, upload, or create while using the Service, including:

• Asset information (descriptions, locations, specifications, serial numbers)
• Work order details and maintenance records
• Vendor and contractor information
• Parts inventory and procurement data
• Financial data related to asset management (costs, budgets, expenses)
• Documents, images, and attachments uploaded to the platform
• Any other business data you choose to store in the Service

Important: You retain all ownership rights to your Customer Data. We process Customer Data only as necessary to provide the Service and as instructed by you.

2.3 Automatically Collected Information

When you access or use the Service, we automatically collect certain technical information:

• Usage Data: Pages visited, features used, time spent on pages, click patterns
• Device Information: Device type, operating system, browser type and version
• Log Data: IP address, access times, error logs, performance data
• Cookies and Similar Technologies: Session identifiers, preferences, authentication tokens

2.4 Information from Third Parties

We may receive information about you from third-party services:

• Clerk: Authentication and identity verification data
• Payment Processors: Payment confirmation and billing information
• Analytics Services: Aggregated usage statistics and performance metrics

3.1 Service Delivery

• Create and manage your account
• Authenticate your identity and maintain security
• Provide access to the Service and its features
• Process and store your Customer Data
• Deliver customer support and respond to inquiries

3.2 Billing and Payments

• Process subscription fees and payments
• Generate invoices and billing statements
• Manage subscription renewals and cancellations
• Detect and prevent payment fraud

3.3 Communication

• Send transactional emails (account notifications, password resets, billing confirmations)
• Provide customer support and technical assistance
• Send service announcements and updates (with opt-out option for non-essential communications)
• Respond to your requests, questions, and feedback

3.4 Service Improvement and Analytics

• Monitor and analyze usage patterns to improve the Service
• Develop new features and functionality
• Conduct research and analytics (using aggregated, anonymized data)
• Troubleshoot technical issues and optimize performance

3.5 Security and Compliance

• Detect, prevent, and respond to fraud, abuse, and security incidents
• Enforce our Terms of Service and other policies
• Comply with legal obligations and regulatory requirements
• Protect the rights, property, and safety of AssetLab, our users, and others

5.1 Service Providers (Subprocessors)

We engage trusted third-party service providers to assist in operating the Service:

• Clerk: Authentication and user identity management (SOC 2 Type II certified)
• Supabase: Database hosting and infrastructure (SOC 2 Type II certified, Canadian data residency)
• Payment Processors: Secure payment processing (PCI-DSS compliant)
• Email Service Providers: Transactional email delivery

All service providers are contractually obligated to protect your information and use it only for the purposes we specify.

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to:

• Valid legal processes (subpoenas, court orders, search warrants)
• Requests from government authorities or law enforcement
• Compliance with applicable laws and regulations
• Protection of our legal rights or those of others

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the successor entity. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

5.4 With Your Consent

We may share your information for other purposes with your explicit consent.

6.1 Technical Safeguards

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: Passwordless OTP authentication via Clerk with optional MFA
• Access Controls: Role-based access control (RBAC) with 173 granular permissions
• Database Security: PostgreSQL row-level security (RLS) for multi-tenant data isolation
• Network Security: Firewalls, intrusion detection, and DDoS protection

6.2 Organizational Safeguards

• Regular security training for employees
• Strict internal access policies (need-to-know basis)
• Third-party security audits and penetration testing
• Incident response and breach notification procedures
• Background checks for employees with access to sensitive data

6.3 Security Limitations

While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials and for any activities under your account.

Information Provided in Breach Notifications

Our breach notifications will include:

• A description of the nature and extent of the breach, including categories and approximate number of affected individuals and data records
• The likely consequences of the breach and potential risks to affected individuals
• Measures taken or proposed to address the breach, mitigate harm, and prevent future incidents
• Contact information for our Privacy Officer and instructions for individuals to protect themselves (e.g., password resets, fraud monitoring)
• Information about your right to lodge a complaint with supervisory authorities

Incident Response Measures

Upon detecting a security incident, AssetLab will immediately:

• Contain and remediate the breach to prevent further unauthorized access
• Conduct a thorough investigation to determine the scope, cause, and impact
• Preserve evidence for forensic analysis and regulatory investigations
• Implement additional security measures to prevent recurrence
• Provide regular updates to affected individuals throughout the response process

Your Rights Following a Breach

If your personal information is affected by a data breach, you have the right to:

• Receive timely and transparent information about the breach
• Request deletion of your compromised personal information
• File a complaint with the Office of the Privacy Commissioner of Canada or relevant supervisory authority
• Seek compensation for damages resulting from the breach, subject to applicable law and our Terms of Service (Section 10: Limitation of Liability)

8.1 Right to Access

You have the right to request a copy of all personal information we hold about you. We will provide this information within 30 days of your request, subject to verification of your identity.

8.2 Right to Correction

You have the right to request corrections to any inaccurate or incomplete personal information. You can update most information directly in your account settings.

8.3 Right to Deletion

You have the right to request deletion of your personal information and Customer Data, subject to:

• Legal obligations requiring us to retain certain data
• Legitimate business purposes (e.g., fraud prevention, resolving disputes)
• Backup retention periods (up to 90 days)

8.4 Right to Data Portability

You have the right to export your Customer Data in commonly used formats (CSV, JSON) at any time through the Service interface.

8.5 Right to Withdraw Consent

You may withdraw your consent to our processing of your personal information at any time by terminating your account. Note that withdrawal of consent may prevent us from providing the Service.

8.6 Right to File a Complaint

If you believe we have not complied with PIPEDA, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC).

8.7 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@assetlab.ca. We will respond to your request within 30 days.

Consequences of Uploading Prohibited Data

If you upload prohibited sensitive data to the Service:

• You are in material breach of our Terms of Service
• AssetLab may immediately suspend or terminate your account without refund
• You are solely responsible for any regulatory penalties, fines, or third-party claims arising from such unauthorized data uploads
• You indemnify AssetLab for all costs and damages resulting from your upload of prohibited data (see Terms of Service Section 11: Indemnification)

10.2 Do Not Sell or Share My Personal Information

We do not "share" personal information for cross-context behavioral advertising purposes as defined by the CPRA. We do not engage in targeted advertising or profiling in furtherance of decisions that produce legal or similarly significant effects.

10.3 Your CCPA/CPRA Rights

California residents have the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources from which it was collected, the purposes for collection, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., legal compliance, fraud prevention)
• Right to Correct: Request correction of inaccurate personal information we maintain about you
• Right to Opt-Out of Sale/Sharing: Opt-out of the sale or sharing of your personal information (note: we do not sell or share as defined by CCPA/CPRA)
• Right to Limit Use of Sensitive Personal Information: Limit our use of sensitive personal information (note: we do not collect sensitive personal information as defined by CPRA)
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your CCPA/CPRA rights

10.4 Exercising Your CCPA/CPRA Rights

To exercise your rights under CCPA/CPRA, please:

• Email us at privacy@assetlab.ca with the subject line "CCPA Request"
• Submit a request through your account settings (for registered users)

We will verify your identity before processing your request and respond within 45 days (extendable by an additional 45 days if reasonably necessary). You may designate an authorized agent to make a request on your behalf by providing written authorization.

10.5 Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for their direct marketing purposes. AssetLab does not disclose personal information to third parties for their direct marketing purposes.

11.1 No Automated Decision-Making with Legal Effects

AssetLab does not engage in automated decision-making (including profiling) that produces legal effects concerning you or similarly significantly affects you, as defined by GDPR Article 22.

Specifically, we do not use automated processing to make decisions about:

• Your eligibility for the Service
• Credit decisions, insurance underwriting, or similar financial assessments
• Employment decisions, performance evaluations, or disciplinary actions
• Legal rights, contractual obligations, or access to essential services

11.2 Analytics and Service Optimization

We do use automated processing for the following purposes, which do not produce legal or similarly significant effects:

• Usage Analytics: Analyzing usage patterns to improve Service performance and user experience
• Security Monitoring: Detecting fraudulent or abusive activity through automated threat detection systems
• Service Personalization: Customizing your user interface based on preferences and past activity (e.g., recently accessed assets, saved views)
• Feature Recommendations: Suggesting Service features that may be useful based on your subscription tier and usage patterns

You may opt-out of non-essential analytics and personalization through your account settings.

11.3 Future AI Features (If Implemented)

If we introduce AI-powered features in the future (e.g., predictive maintenance recommendations, automated work order prioritization), we will:

• Clearly disclose the use of automated decision-making or profiling
• Provide information about the logic involved and the significance of such processing
• Obtain your explicit consent where required by law
• Provide mechanisms to challenge automated decisions and request human review
• Comply with all applicable AI governance frameworks and regulations

See our Terms of Service (Section 15: Artificial Intelligence Features) for additional information about AI-related terms.

12.1 Types of Communications

AssetLab may send you the following types of communications:

• Transactional Communications (Cannot Opt-Out): Account notifications, password resets, billing confirmations, security alerts, Service updates required for platform functionality
• Service Announcements (Can Opt-Out): New feature releases, product updates, maintenance notifications, best practices guides
• Marketing Communications (Opt-In Required): Promotional emails, newsletters, webinar invitations, case studies, industry insights

12.2 CASL Compliance (Canada's Anti-Spam Legislation)

AssetLab complies with Canada's Anti-Spam Legislation (CASL). We will only send you commercial electronic messages (CEMs) if:

• You have provided express consent by opting in to receive marketing communications
• We have an existing business relationship with you (e.g., you are an active subscriber), and the message relates to your use of the Service
• You have inquired about the Service within the past 6 months, and the message relates to your inquiry

12.3 How to Opt-Out of Marketing Communications

You may opt-out of marketing communications at any time by:

• Clicking the "Unsubscribe" link in any marketing email
• Updating your email preferences in your account settings
• Emailing privacy@assetlab.ca with the subject line "Unsubscribe"
• Replying to any marketing email with "STOP" or "UNSUBSCRIBE"

We will process your opt-out request within 10 business days as required by CASL. Note that opting out of marketing communications will not affect transactional communications necessary for Service operation.

12.4 Do Not Track Signals

Some web browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want to have your online activity tracked. Currently, there is no universally accepted standard for how to respond to DNT signals. As a result, AssetLab does not respond to DNT browser signals. However, you can manage cookies and tracking through your browser settings and our cookie preferences center.

13.1 Canadian Data Residency

All personal information and Customer Data is stored on servers located in Canada (AWS ca-central-1 region via Supabase). Your data does not leave Canada without your explicit consent.

13.2 Service Providers

Some of our service providers (e.g., Clerk for authentication) may process data outside of Canada. When this occurs:

• We ensure adequate contractual protections are in place
• Service providers comply with SOC 2 Type II or equivalent security standards
• Data processing is limited to what is necessary to provide the Service

14.1 Essential Cookies

Required for the Service to function (authentication, session management, security). These cannot be disabled.

14.2 Functional Cookies

Remember your preferences and settings to enhance your experience.

14.3 Analytics Cookies

Help us understand how users interact with the Service to improve functionality and performance. These are optional and can be disabled in your browser settings.

Office of the Privacy Commissioner of Canada

If you are not satisfied with our response to your privacy concerns, you may contact the Office of the Privacy Commissioner of Canada: